COMPLIANCE BRIEFING: BLOG

There’s a lot of preparation to do before GDPR comes into force, but organisations can save themselves time by stopping to assess the value of the data they hold.Is the data being used? Does holding on to it serve a purpose?

At the moment, organisations can ask permission to collect personal data. They can then use this data for a variety of internal purposes. The data we give to set up an account can be used for marketing, analytics, and product development, really anything that it could be useful for.

GDPR will put an end to this catch-all permission system. Organisations will need to acquire permission from individuals for each use of their data.

Organisations not only need to modify their data collection practices; they need to assess what data they currently hold. What’s it being used for? Who has access to it and why? Where is it being stored (is it all in one database? How do you know if multiple employees have downloaded the data and have it sitting on spreadsheets across multiple devices?)

What questions do organisations need to ask themselves about their data management processes before GDPR comes into force?

1. Do you really need the data?Once you know what data is being collected and stored, you need to ask what the data is being used for. Is data collected to form the customer database also being used by the marketing team to send newsletters to email and marketing material through the post? Maybe your loyalty card database is also being used by product development to analyse the social status of your customers?

After GDPR comes into force, organisations will need explicit permission for any use of customer data outside its original purpose. So it’s important to know exactly what data you’re using.

Do you really need the data of a client that hasn’t done business with you for ten years? Is that data being used for anything? If so, what and why?Keeping unnecessary data around will only be a drain on the organisation’s resources after May 2018, so it’s a good idea to cull any excess data before the deadline.

2. How does the organisation control access to data?GDPR compliance will mean a tightening of access controls. The permission-based system introduced under GDPR will give individuals more control over what their data is used for.

All organisations will need to put systems in place that enable them to monitor who is accessing the data, how long they spend looking at the data and record any changes they make to the data. Some people may simply need ‘read only’ access – in which case they should be prevented from downloading the data or taking screenshots of it.

3. Can you be sure that your data is accurate?Is the data you hold on individuals accurate and up-to-date? Do you have permission to use it in the way you do?Of course, inaccurate data is useless to organisations anyway, so identifying and eliminating this information shouldn’t be an issue.4. What training does your team need?It’s likely that many of us have picked up working habits that wouldn’t be able to continue under GDPR. Whether it’s emailing ourselves spreadsheets to work on at home, or sharing data with our colleagues over unsecured wifi, there will be some practices that need to change.

People usually take the easiest and quickest route to completing a task. So any software or solution that organisations introduce will need to be efficient. Employees will also need training and support in using any new systems and in changing the way that they’ve worked for years.

They need to be fully informed of the legislation. They need to be aware of the rights individuals have over their data, and of their right to be forgotten. They need to know that they can’t just use data as they see fit, they need to check that permission has been give freely and that they have a genuine need to access and use the data.

In training teams to cut down on excessive data collection and use now, you can make sure that all employees are fully prepared for the changes GDPR will require by the time these practices become a legal obligation.

Only after organisations have assessed their current data practices, can they create a plan and train their employees in the new best practice for data collection, processing and secure access and storage.